Add Storage DataProtection integration package #9961
Conversation
pakrym
requested review from
JoshLove-msft,
KrzysztofCwalina,
amnguye,
chidozieononiwu,
danieljurek,
mitchdenny,
seanmcc-msft,
tg-msft and
weshaggard
as code owners
|
Should this be |
|
Naming is something I'm very open to changing. I'm trying to get the package building and ship a preview out of our repo so partners can start using it. APIs and and names are up for discussion. |
...age.Blobs.AspNetCore.DataProtection/src/Azure.Storage.Blobs.AspNetCore.DataProtection.csproj
Outdated
Show resolved
Hide resolved
...age.Blobs.AspNetCore.DataProtection/src/Azure.Storage.Blobs.AspNetCore.DataProtection.csproj
Outdated
Show resolved
Hide resolved
...age.Blobs.AspNetCore.DataProtection/src/Azure.Storage.Blobs.AspNetCore.DataProtection.csproj
Show resolved
Hide resolved
| // returns a TimeSpan in the range [0.8, 1.0) * ConflictBackoffPeriod | ||
| // not used for crypto purposes | ||
| var multiplier = 0.8 + (_random.NextDouble() * 0.2); | ||
| return (int) (multiplier * ConflictBackoffPeriod.Ticks); |
There was a problem hiding this comment.
I feel like this is the third copy of this code. Might be worth filing a bug to create a shared source version of it.
There was a problem hiding this comment.
I know we have exponential backoff in couple places but haven't seen random back off anywhere else. Do you have an example?
There was a problem hiding this comment.
I was thinking of https://github.com/Azure/azure-sdk-for-net/blob/master/sdk/eventhub/Azure.Messaging.EventHubs.Shared/src/Core/BasicRetryPolicy.cs#L115, but that is sufficiently more complicated.
sdk/storage/Azure.Storage.Blobs.AspNetCore.DataProtection/src/AzureBlobXmlRepository.cs
Show resolved
Hide resolved
| // The SAS token is present in the query string. | ||
| if (uriBuilder.Sas == null) | ||
| { | ||
| client = new BlobClient(blobUri, new DefaultAzureCredential()); |
There was a problem hiding this comment.
I guess there's no meaningful case where this would ever be a public access blob, right? That's the only other case where the Sas would be null with a shared key.
There was a problem hiding this comment.
Would it actually be nicer to throw if there's no Sas and make users supply the DefaultAzureCredential themselves in the other overload that takes a token credential? I don't have a good feel for how much magic is the right amount of magic in the ASP.NET world.
| /// <remarks> | ||
| /// The container referenced by <paramref name="blobUri"/> must already exist. | ||
| /// </remarks> | ||
| public static IDataProtectionBuilder PersistKeysToAzureBlobStorage(this IDataProtectionBuilder builder, Uri blobUri, TokenCredential tokenCredential) |
There was a problem hiding this comment.
I find it a little confusing that we've got helpers for Sas/TokenCredential but not SharedKeyCredential/ConnectionString. I get that users could instantiate it themselves and pass a BlobClient in to the other overload, but I'm not sure it will be as obvious to others. I'm guessing this is a design decision to guide people toward better auth choices? I think it's fine to Preview but would be worth looking to see if people struggle here.
sdk/storage/Azure.Storage.Blobs.AspNetCore.DataProtection/tests/MockResponse.cs
Outdated
Show resolved
Hide resolved
| } | ||
|
|
||
| [Test] | ||
| public void StoreUpdatesWhenExistsAndNewerExists() |
There was a problem hiding this comment.
Can we add one to test what happens when a blob does exist there but it's not ASP.NET keys?
|
I feel like we should structure the naming as |
There are other packages that need to have Extension in the name and I'm worried that I like that the names are way shorted the way you propose. |
heaths
left a comment
heaths
left a comment
There was a problem hiding this comment.
Signing off with comments. Only reviewed general and KV files.
| <PackageTags>$(PackageTags);azure;keyvault</PackageTags> | ||
| <Version>1.0.0-preview.1</Version> | ||
| <EnableApiCompat>false</EnableApiCompat> | ||
| <IsExtensionClientLibrary>true</IsExtensionClientLibrary> |
There was a problem hiding this comment.
Good point, I'll move some packages under IsTestProject condition instead.
| <PackageReference Update="Azure.Storage.Blobs" Version="12.0.0" /> | ||
| </ItemGroup> | ||
|
|
||
| <ItemGroup Condition="'$(IsExtensionClientLibrary)' == 'true'"> |
There was a problem hiding this comment.
Doesn't this increase the risk of dependencies getting out of date? I don't see any benefit here since the compiler will elide any references that aren't needed and, in fact, these don't actually add package references anyway - just update existing ones with a version.
There was a problem hiding this comment.
This condition is to prevent "normal" azure SDKs from taking dependency on "extensions" packages that are intended only for a few selected plugin packages.
|
Filed #10003 to follow up on extension methods. |
| <PackageReference Update="Microsoft.DotNet.GenAPI" Version="5.0.0-beta.19552.1" /> | ||
|
|
||
| <!-- Azure SDK packages --> | ||
| <PackageReference Update="Azure.Storage.Blobs" Version="12.0.0" /> |
There was a problem hiding this comment.
This is already in the larger package list and set to 12.2.0.
There was a problem hiding this comment.
Not sure what's up with this. I just moved this reference around.
| </ItemGroup> | ||
|
|
||
| <!-- Track 2 specific versions --> | ||
| <ItemGroup Condition="'$(IsClientLibrary)' == 'true'"> |
There was a problem hiding this comment.
All of the extension are already in the general item group above as well. While this override some it doesn't eliminate others. Part my issue with this change is trying to avoid duplicate versions across our different package sets. Perhaps we should figure out a way to ensure we don't have duplicate items across the different package types where there are different conflicting versions. Ideally we shouldn't find a package listed more then once in this file.
There was a problem hiding this comment.
Let me see who references those and try to clean them up.
There was a problem hiding this comment.
They might be referenced by the track 1 libraries. At a min we should probably make the lists mutually exclusive (i.e. make the larger top list '$(IsClientLibrary)' != 'true').
There was a problem hiding this comment.
Making them exclusive might involve a lot of churn that I don't want to include into this PR. I moved all Extensions references to test project only group.
There was a problem hiding this comment.
This file is also used as the baseline for ApiCompat.
There was a problem hiding this comment.
We might need to start using a separate file for ApiCompat.
I think Azure.AspNet.DataProtection.Blobs is better. The feature is only interesting to people who use ASP.NET, and so it should be grouped in an "asp.net" group. I don't think we should sprinkle these types all over Azure SDK namespaces. |
Sounds good, but I'd like to change one this and use AspNetCore instead of AspNet as it's more consistent with other such libraries. |
|
/azp run net - core - ci |
|
Azure Pipelines successfully started running 1 pipeline(s). |
5 participants
This migrates existing dataprotection key storage extension to track 2 (https://www.nuget.org/packages/Microsoft.AspNetCore.DataProtection.AzureStorage/)